Posted
by
ScuttleMonkey
on Saturday June 24, 2006 @02:12PM
from the new-string-of-finger-thefts dept.

"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions. From the article: 'The company is a bit puzzled by customer privacy fears. After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number? ...The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'"

It does not matter. A person's fingerprint is not a secret. You leave them everywhere. (Unless you wear gloves all the time.) I assume the cashier watches the customer scan their fingerprint, so they know the fingerprint belongs to the customer. If someone comes in and tries to scan a finger not connected to anything, the cashier will probably suspect something.

Another issue is that your fingerprint must be stored somewhere else in a database. This leaves room for an attacker to use a digital copy of your fingerprint for other transactions.Somebody please correct me if I am wrong, but this is nowhere as safe as a private/public key. If the external party saved your public key, there is no worry. However, your fingerprint does not have two version, one being public, and one being private for signing. On the bright side, they can combine a pin number with the finger

The company is a bit puzzled by
customer privacy fears. After all, they say, how can using a unique
fingerprint for identification be riskier to theft than a plastic
card, key chain token or account number that's tapped into a computer
or spoken over the phone?

WTF? How can they say that? Don't they know how
many times each day people lose their fingers? Not to mention the
countless times people give each other the finger! (Done so a few
times myself.)

Also:

It's similar to the finger-scan technology
used at theme park gates. Those systems take measurements of patrons'
hands and fingers and link them to a multi-day pass to prevent several
people from using one person's pass.

I experienced this at Epcot... in Orlando. I don't know if it was
in its experimental phase, but it introduced lots of confusion as
people entered the park. And, it was not clear how or where it was
used the rest of the time we were in the park -- if it was exclusively
to prevent abuse, so be it, but it was an eerie experience at the
gates.

I do wonder about the statement: (FTA)

The company
pledges not to sell or rent personal information, or access to it. The
fingerprint image recorded is not the same as those collected by the
federal government or law enforcement.

How can that be? I know my prints are on file (Top
Secret clearance, cool!), but I wonder how these prints would differ.
Are they storing some kind of hash with no backup of the original scan
or image? Weird, but doubtful.

I think this is great technology as people get more comfortable
with it. I would (and do) worry about how soon people get good at
counterfeiting fingerprints. Thought I'd read a couple of articles on
that very hack and that hacking fingerprints turned out not to be too
very hard. Any resources on that?

Regardless, great point about it not being that much different (and
quite a bit less likely to wander off) from keychain fobs, credit
cards, etc.

From TFA: The company pledges not to sell or rent personal information, or access to it.

I read this line too and it made me want to scream. "Company pledges" are worth exactly shit these days. "We pledge to protect your privacy and retain the right to alter this pledge at any time." "We pledge to never sell or distribute all of this personal information that we insist on gathering, really, unless we're bought out by another company that doesn't pledge this."

I don't want pledges. I don't want them to have this info, period. I don't want to receive marketing from them any more than I want it from third parties.

Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for marketing purposes of any sort."

Now, if there was accountability behind these pledges, such as "We are bonded for a $10,000 per customer coverage to never leak any customer information" or "Under penalties of perjury with a minimum of five years prison time to be served by each member of the entire Board of Directors, we pledge to never sell or otherwise distribute any personal information collected by us. Furthermore, under threat of the same penalites we pledge to use this information only for verification of your account, and never for

Of course, with fingerprints the problem is that everyone from the police to the bum in the park picking up your discarded soda can has that info. Period.

And the real bitch is that as idiots like this company and politicians and law-enforcement yearning for easy solutions start making biometrics like DNA and fingerprints prevalent in society, the incidence and ease of forgeries will make the current card skimming frauds look like a fart in a shitstorm.

Notification of ChangesIf we make material changes to this policy, we will notify you here, by email, or by means of a notice on the Pay By Touch homepage so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we may disclose it. We will update our privacy policy from time to time.

Notice the OR, they can change their TOS any time and promise to change their TOS page accordingly.

Pay By Touch may share your personal information with companies that Pay By Touch contracts to privately and securely verify your identity, process your payments, cash your checks, and prevent fraudulent use of the Pay By Touch services.

We all know how secure third parties are.

"In some cases Pay By Touch may provide algorithm or sensor vendor partners who have entered into confidentiality agreements with Pay By Touch with anonymous biometric scans. These companies use the anonymous test scans only to develop, test, modify and improve the performance of their hardware and software products related to the Pay By Touch services. These test scans are not linked to any personally-identifiable identity or account information."

THE PAY BY TOUCH SERVICE IS PROVIDED "AS IS" WITHOUT ANY WARRANTIES OR REPRESENTATIONS WHATEVER OF ANY KIND, WHETHER EXPRESS OR IMPLIED. Pay By Touch will not be liable or responsible for any damage or injury caused by your use of the Service.

Well, on the anonymous scan part, that is pretty obvious. They're providing a box to developers like you and I. We touch it, it returns a fake record. If it works, it'll return the same fake record every time. If it has a false, it'll probably return a different fake record.
I'm not particularly comfortable with it still.

As someone else said, your fingerprints are everywhere.

Say this does become wide spread. Everyone's using it. I go into a high dollar sto

Cashiers don't even look to see the name on a credit card matches the drivers license. What would make you think that they'd pay attention to a bit of discoloration on the index finger?

Over the years, I've sent girlfriend's out with my credit card to buy things. Only once has one been refused. It's pretty obvious that it's a guy's name on the card, and a girl trying to use it. Even if they checked ID's, they'd see the last names weren't even similar.

If it is in fact a completely different scan that cannot be linked to law enforcement scans that is an awesome technology. DNA even wouldnt be that big of a deal if law enforcement didnt have that type of DNA id. If the two are different, I think it is much less of a privacy issue. We know the govt will take databases en masse to "look for things" so if this is different than their system, they cant simply use it to get around those pesky warrants. (which is a whole different situation, it isnt like a war

So let's assume the FBI wanted to figure out who a person with those characteristics were. What do you think the FBI would do? They would contact Pay By Touch, and Pay By Touch would give them the data they wanted.

It doesn't matter at all if it's not "the same". If it's some kind of hash, it still uniquely identifies the customer from their fingerprint, and would be useful to law enforcement. If it's some other way of identifying people from f

I agree with your comments, but they are technically correct about the fingerprints being different. The government stores them as images on what are called "ten print" glass plates. Most matching is still done by hand.There are two reasons why the fingerprints are different. The first is that they don't store the fingerprint or any image of the finger print, they run a filter to make the initial image black and white(no grays). Then they run an edge detection filter to make the lines obvious. An algor

Only the graph is saved, and the graphs are compared to verify identity. The fingerprint data that my company uses is less than 1k of data consisting of only minutiae type, links to other minutiae, and distances. So in other words, there is no way to get an image of the finger back, so the police can't use it(for manual matching).

All they have to do is use your equipment to generate a matching graph of the fingerprint in question, and the police can match against your records that way. In other words,

Me too, there is a thriving business in Florida selling used tickets. The people on the gates of Disney simply wave you through if the fingerprint machine flags a problem. The machine let me through even though I bought a dog eared ticket from some dude in a hot-air-balloon shaped kiosk.

Just one more point:

backed by $130 million in VC cash

Holy Shit! The (failed) Beagle Mars lander only cost 40 million GBP ($71 million) to launch and was a much better idea IMHO.

From the sounds of it they are either recording the information based on something different that cannot be used to reconstruct the data pattern currently in use at places like the FBI, or they are hashing the results prior to storage. In either case the data they have would be no use to the FBI etc.I haven't gotten a chance to do much digginng into fingerprint recognition, but it appears to be based on the anomolies in your prints. There's probably a name for them... spots where there are enclosing circ

Does this new gizmo do something magical to avoid this rather easy attack?

Just google gummibear and fingerprint and you'll find a gazillion How Toarticles.

If the biometrics guys are 'a bit puzzled by customer privacy fears" thenthey are horribly ill-informed!

I can avoid leaving my credit card lying around for someone to steal - butit's very hard indeed to avoid leaving my fingerprints in all sorts ofpublic places. If I could find out how to defeat their scanner so easilywith about 10 seconds of Googling - you can be very sure that the bad guyswill be lining up.

Any gummy-child old enough to get in a bag is old enough to decide what to do with itself is OK, as long as it is properly educated as to the risks. Consent is the issue here, that and the nebulous, improperly drawn as a line in the manufacturing sand of the nature of what "informed" means.

Wow, did you actually read the article that you linked against? That basically had nothing to do with gummibears-- the example of them was only as FUD against biometrics. The real techniques required circuts, cameras and chemistery.

"Wow, did you actually read the article that you linked against? That basically had nothing to do with gummibears-- the example of them was only as FUD against biometrics. The real techniques required circuts, cameras and chemistery."Yes - I did read it. As I understand it, the process is:

1) Use some cyanoacrylate (superglue) - just as the police forensics guys do - to 'develop' the latent print into something you can see.2) Photograph it with a regular digital camera.3) Print the photo (using your compute

Superglue, cameras, blank circuit boards, and etchant are required to make the mold. All crap I have had laying around my house for the past 20 years. And gelatin is require to make the fingerprints. That's in my pantry, and not so old. The last two ingredients are knowledge (see the link) and the lack of ethics that keep normal people from committing crimes (in sadly short supply.)

"Gummibear fingerprints" are not certainly not FUD (although they're not made from real gummibears.) They're a real attack that's easy to make, and fun to eat!

The reasons they'd work so well for fraud are numerous. First, while it's pretty easy to keep track of your fingers, it's virtually impossible to "guard" your fingerprints. You leave them everywhere -- your phone, doorknobs, keyboards, dishes, plastic bags, everywhere. It just takes a little bit of "Hardy Boys Detective Handbook" work to photograph them. Making a circuit board from a photograph is something I did a lot in 7th grade, but nowdays digital cameras and laser printers are more common than photographic enlargers. And even I can mix up gelatin without burning down the kitchen.

The neat thing is that gelatin itself is the ideal material for forging fingerprints. It is simply animal protein (it's pretty much ground up cow hooves and collagen, if you want the real details.) It's biotic matter, so it has roughly the same electrical capacitive properties as human skin. It's thin and transparent, so a "pulse detector" that senses the infrared pulses given off by circulating blood can see right through it. And if you wet it, it's kind of sticky and can easily be applied to the fingertips before heading to the cash register. Once applied, they're virtually impossible to see. Gelatin is almost indistinguishable in every way from human skin.

Everything that a fingerprint scanner can be built to look for (at a cheap enough price to sell to grocery stores) is right there on your fingertip. Even if the alarm bells sounded and the guards came running, you'd still have time to pop your finger into your mouth and eat the evidence.

My bank requires that their customers provide a password so that they can "verify" who their dealing with over the phone, or even at the teller line. Here's the funny part...the tellers will just ask, out in the open, "what's your password?" and the customers just stand there and blurt them out for anyone to hear. It's the dumbest form of "security" I've seen.

That might work - but it's a pretty flimsy solution for a serious security problem. If gummibears didn't work, just how long do you think it would take for the bad guys to figure out how to take a latex mold or something.It's not enough to make it a bit harder - you have to make it virtually impossible.

Worse still - once someone has cloned your fingerprint, what do you do about it? If someone clones your credit card you can phone the card company and they put a stop on that card and issue a new one. Thi

I do not mean to denigrate cashiers as most are fine people in a tough job situation when I say that any system that relies on them to do any security related task other then obey the transaction computer or count cash (and maybe not even that) is bound to fail simply because the cost of a security related failure is so low compared to the cost of human driven security.

Yes, yes they will. And once this is common in convinence stores, expect them to come to ATMs. That's where it gets really dangers. The screwed up part is that it's not just dangerous for the people stupid enough to use this system. It is dangerous for everyone that lives anywhere near one of these systems.

Some people's fingerprints can't be scanned by these machines... Last year I went to Florida and they have fingerprint machines at all the big theme parts and at the airport.
None of these machines could pick up my prints... And every second time I used them I got rejected... So this flawless technology is anything but... I do nothing special with my hands, so it must be one of those "from birth" things... But if you're unlucky like I am then don't expect to be paying with your fingers any time soon.
I am not looking forward to going back though American customs as I know the fingerprint machine will reject my prints and I'll get sent home or something crazy.

The Pay-By-Touch sales representative that I met with a couple years ago told me that about 1-2% of the population has fingerprints that can't be read by their machine. Particularly affected were 'pineapple pickers.' He said the combination of the enzymes and acids in the pineapple juices plus the rough texture of the plants caused their fingerprints to be completely obliterated.

The Pay-By-Touch salesman wasn't referring to the "oily fingerprints left as evidence at the scene of a crime", he was referring to the actual ridges and whorls on the surface of the skin. The PBT reader doesn't look for skin oils, it just reads the surface profile looking at the ridges, intersections and islands. The pineapple pickers simply don't have any texture at all on their fingertips.

"After all, they say, how can using a unique fingerprint for identification be riskier to theft than a plastic card, key chain token, or account number?"

Just look at murder victims whose hands have been lopped off to hide their identities. It doesn't take much of a (morbid) leap of logic that someone could hold onto a thumb, and surrepticiously use it to withdraw someone's entire finances.

Let's face it... biometric authentication/payment is really cool. As long as I can be sure the cryptographic basis of it is secure (i.e., that my fingerprint can't be recreated from it), I would be comfortable using it. But you know, most of the world is stupid and doesn't understand this kind of stuff, or has stupid opinions about it, and will be afraid of it. I understand that people are afraid about invasion of privacy and identity theft, but the issue should be "Are we sure that company $X's implemen

How about "Biometrics are horrible security methods"? YOu can cancel CC numbers, revoke certificates, and change passwords. How the fuck do you change your fingerprint? You can't. Its comprimised once (and these machines are easy to fool) and you have no security.

Yeah. That's a good excuse, I agree. But my point was that the majority of the population will reject it because it is "creepy" to them, without considering how it actually works or the real risks and rewards.

What someone needs to do is create a smart card with a built-in fingerprint reader and PIN pad, so you can use your own, totally secure device. It will authenticate you using the PIN and fingerprint, and then allow you to cryptographically authenticate to another device (e.g. the payment system at

But you know, most of the world is stupid and doesn't understand this kind of stuff, or has stupid opinions about it, and will be afraid of it.

Don't mind me, I'm just buying some powder, a makeup brush and tape. Don't mind my friend in line ahead of you, he's just testing out his new windex on the fingerprint reader to make sure the bottle isn't defective.

I'm not "stupid" but I do have opinions of this. Based on their demo [paybytouch.com] (flash) they use a simple pad-based scanner where you press your finger, rather tha

Oh. That's stupid, the swipe-based ones are more secure, take less space, are cheaper to build (I would suspect a row of LED's and optical sensors is cheaper than an entire grid of them or a small camera), and look niftier.

'The fingerprint image recorded is not the same as those collected by the federal government or law enforcement.'

But just watch...it could be USED by law enforcement in about ten seconds!

California has required you to give a scanned fingerprint for years just to get or renew your driver's license. I've always wondered how many divisions of law enforcement now have MY fingerprint in their dtatbase. When I asked the guy at the DMV, he said he didn't know, but was SURE that law enforcement could access the

Many fingerprint readers can detect whether the finger is alive or dead, which should help partially solve this problem (but only if all fingerprint readers use this technology, otherwise they will just exploit the one that doesn't).The other two issues that I think are more important (and mentioned already above) are:

* Your fingerprint is basically public information - you leave a copy of it on everything you touch* Unlike a bank card or a password, it cannot be changed once it is compromised.

There are some people willing to steal a wallet. There are not very many that will steal a finger.

Credit card fraud cases don't get much attention since they are a dime a dozen. Violent assault cases get much more attention, and thus have a much greater chance of getting caught. I think most criminals willing to attack a human and take their finger would find the risk outweighs any potential gains.

There are some people willing to steal a wallet. There are not very many that will steal a finger.

The argument is that stealing a wallet has, historically speaking, been a profit-making enterprise. Stealing a finger, however, has not. The use of a fingerprint for authentication changes the status quo; now stealing a finger offers the same motivation: Profit. The argument is that this will create the pool of folks who will steal fingers in a natural manner.

There is still a limited window of opportunity for using the finger. You chop off my finger, relatively soon, I'm going to notify my bank soon, unless you kill me, in which case, you probably would have killed me for my wallet and credit cards anyways.
Most criminals are cowards, looking for a safe, easy mark. Stealing a finger is neither safe nor easy.
You can do all sorts of things to make finger stealing unprofitable. Let the user choose which finger it is (so the attacker doesn't know which one to t

There's nothing inherently difficult about making a severed finger or removed eye show lifesigns, from pulse to micromovements to blinking.

Ehhhh?? This is a very bizarre statement to make. So, you've chopped someone's finger off and there's blood everywhere. It's pretty much all leaked out of the finger. How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?

So, you've chopped someone's finger off and there's blood everywhere. It's pretty much all leaked out of the finger.

The finger won't leak much blood. It's not attached to a a heart to pump it, you see. So, no blood pressure. The stump will leak blood, but that's not a technical problem for the thief. It might even be an advantage, because...

How exactly do you use this in the next 30 minutes to purchase something, without suspicion, whilst making blood pump through it?

Iris scanners are not that expensive anymore, and I don't understand why thumb scanners are used anywhere outside of having a little usb toy attached to your computer. This confusion doubles when you consider it in situations where security is very important, like cash transactions.

Scuttlemonkey wrote "An anonymous reader writes..." despite the fact that this is my journal [slashdot.org] entry, and says qo quite clearly at the top of the story: "Journal written by anaesthetica (596507) and posted by ScuttleMonkey on 14:12 Saturday 24 June 2006"

I mean, I may not stand out in a crowd, but this is just an unnecessary blow to my ego.

I think it's a new feature. When you write a journal entry you can click a checkbox to submit it as a story as well. I think this is a nicer option, because I like to save the stories I've submitted anyway.

Cub Foods also uses it. You need to enter a 7 digit number along with your finger print. It really didn't seem easier than swiping a card and entering a four digit number, so I didn't go with it. They suggest using your phone number for the seven digit number. I imagine the number is needed to make the database lookup practical. I wonder what would happen if LOTS of people started using the same seven digit number "1234567"...

The 7 digit number is probably there to conform to the normal standard of requiring two pieces of ID for confirmation of who you are. The 7 digit number is one, and your fingerprint is the other. This not only confirms your identity but also confirms that their records are accurate with respect to any identification that you have previously provided them with. If something doesn't match up with their records, they can ask you for details and confirm your identity another way before processing your payment.

I'd bet there are many duplicate fingerprints as far as their scanners are concerned if they need you to use such a long pin. The system probably functions primarily on your pin, using a relatively low quality fingerprint scan for verification or duplicate resolution in case two people have the same pin.

For all you phobic people out there who don't want them to "have a copy of your fingerprint" from what I found out from the employees it doesn't work that way. It doesn't store your fingerprint, just certain points on it. So really there is not a way to one way hash back to your actual fingerprint. Now, maybe the employee didn't know what they were talking about but for them to have

*most fingerprint systems don't store the actual fingerprint*.The easiest, most computationally inexpensive way to check fingerprints against a database is to hash the print that you found at the crime scene--or the point of sale--and compare it to a database of hashes stored in the same way.

If you have the hash database, you have the fingerprint. Just because it's not the *same* hash as what law enforcement uses doesn't stop the NSA from using it against you. If you had more than one hash database, you m

Actually this is how all law enforcement data bases work. They find places where print ridges have certain kinds of discontinuities, bifurcations etc... then store the potions of these points relative to each other. Very few database matches rely on a complete match, nor are they actually comparing actual pictures of prints, but rather how many points in common line up. Since lifting prints often distorts the print or misses some areas, exact matches are
really ever found, but the quality of the match go

We did an interview with these guys long before the SP Times did, when they first started rolling the system out in the Bay area. Supposedly their machines require a normal body temperature and a pulse to be detected and the process can take a few seconds.Also note that the system is closed. Merchants have no ability to troubleshoot or fix their machines, it requires a full visit by the company. It also requires a broadband connection. Yes, it goes over the Internet. Many, many small stores still use dialup

Well, they seemingly are stupid like a dumb ducks behind, and still they will get rich. Why ? Because such moves will be backed heavily by US government, since they will be able to get a nationwide fingerprint database in a few months and they don't even have to pay for it.

I'd prefer living without money in a jungle than using my fingerprint as a payment method, that's for sure.

how can using a unique fingerprint for identification be riskier to theft than a plast

It is important to know that these sensors are not optical in any way. They are using sensors similar to those from Authentec which use an RF scan to penetrate the first layer of skin. This eliminates problems with "too wet" and "too dry" fingers and also prevents spoofing by just about everything except cutting the finger off.

There are some systems that can be fooled much easier, but they are not being used by PayByTouch. Nor is anyone serious about using a fingerprint scanner anymore.

Microsoft sells an optically-based fingerprint scanner that can be fooled by latex molds, gummi bears and lots of other stuff.

is a fear of two-factor authentication. Really, the solution here is to keep the fancy fingerprint-system and to *combine* it with a PIN that can be changed readily by presenting a second form of photo ID. This way, if your fingerprints get compromised, your PIN is still unique and you can change it whenever you want. The fact that they're so insistent on "touch it and go without any work!" is the security downfall, and it's kind of sad when it would literally take an extra 10 seconds at most to input a 6-d

have had this for about 6 weeks now. I still pay with cash or credit card because the notion of giving my fingerprints to the government (via Jewel) doesn't appeal to me.

I wonder if any of the people who signed up for this considered the fact that the government could obtain their fingerprints by doing nothing more than getting a subpeona. In fact, I suspect that most businesses would gladly divulge them for the asking, so long as it was for fighting terrorism.

So...someone gets your card with your biometric data on it, and the card gets hacked. Now they can make new cards with your info including your fingerprints on it. Fingerprint readers can be faked pretty easily these days, using all sorts of products available in the home. Once your fingerprints along with your ID are stolen, that's pretty much it. You can't change your fingerprints. With username/password or credit card info, if it gets stolen, you can simply change all that info or get a new card with a n

"A chain of Florida convenience stores has begun accepting fingerprints as payment, using a biometric system called Pay By Touch. The company is a Bay-area startup backed by $130 million in VC cash and the acquisition of BioPay, a Virginia-based biometrics firm that's already done $7 billion in European transactions...

Okay, we just need an Australian court to decide the distribution of remaining assets to Japanese investors on the sellers in Nigerian government officials to make this truly a world-wide

We use finger print readers where I work. This, of course, only applies to the system I'm familiar with, but I doubt the store one is that divergent. They don't store anything resembling an image, but rather a numerical encoding of a given number of key points. I get the impression the actual process involves some kind of hash number validation.

The reason that "the fingerprint image recorded is not the same as those collected by the federal government or law enforcement" may be chillingly pragmatic. We were told when implementing our system that if we stored fingerprint data up to government specs we would be required to provide that information to the government. As a result our company, and most others, store data below the threshold that will get them noticed by the feds.

The fingerprint validation itself is somewhat fluid. Most people don't press the reader the exact same way twice in a row, the finger distorts under different levels of pressure, reacts to environmental changes, and even the current health of the individual. This kind validation requires a level tolerance to be set.

Some individuals never seem to get a good read, the tolerance for such people needs to be loosened to get any kind of positive feedback. As a result, some of our employees could hoist a big toe on the reader and probably get a pass. I simply wouldn't trust these things not to mistake me for the granny with the bad fingerprints.

There is a supermarket chain where I am, Farm Fresh, that has been using fingerprints and "PayByTouch" for atleast a year now. Never tried it, they're food kinda went down the toilet (though they have a good beer selection) so I don't go there that much and the cash I usually use hasn't been rejected yet... It's just one of those POS attachments that sits there but never gets used. Anyone tried it? Anyone had real experience with this system? Is it anything like the fingerprint scanners coming with some lap

Sorry, but if I'm to get mugged or defrauded by a desperate criminal, I'd much rather lose my wallet than my thumb or index finger. Just a thought. I can get new credit cards. I can't get a new finger quite as easily.

nono, that's not what I was trying to say - I can still look through your dumpster to find your cc number and not have you know! (Or, phish for it, which seems to work considering nobody'd bother trying if it didn't)